Petri Net Reachability Graphs: Decidability Status of First Order Properties

HAL Id: hal-00743935

https://hal.inria.fr/hal-00743935

Submitted on 22 Oct 2012

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

First Order Properties

Philippe Darondeau, Stephane Demri, Roland Meyer, Christophe Morvan

To cite this version:

Philippe Darondeau, Stephane Demri, Roland Meyer, Christophe Morvan. Petri Net Reachability

Graphs: Decidability Status of First Order Properties. Logical Methods in Computer Science, Logical

Methods in Computer Science Association, 2012, 8 (4:9), pp.1-28. �10.2168/LMCS-8(4:9)2012�. �hal-

00743935�

PETRI NET REACHABILITY GRAPHS:

DECIDABILITY STATUS OF FIRST-ORDER PROPERTIES ^∗

PHILIPPE DARONDEAU

, STEPHANE DEMRI

, ROLAND MEYER

, AND CHRISTOPHE MORVAN

a

INRIA Rennes Bretagne Atlantique, Campus de Beaulieu, Rennes, France e-mail address: philippe.darondeau@inria.fr

b

LSV, ENS Cachan, CNRS, INRIA, France e-mail address: Stephane.Demri@lsv.ens-cachan.fr

c

University of Kaiserslautern, Germany e-mail address: meyer@cs.uni-kl.de

d

Universit´e Paris-Est, Marne-La-Vall´ee, France e-mail address: christophe.morvan@univ-paris-est.fr

Abstract. We investigate the decidability and complexity status of model-checking prob- lems on unlabelled reachability graphs of Petri nets by considering first-order and modal languages without labels on transitions or atomic propositions on markings. We consider several parameters to separate decidable problems from undecidable ones. Not only are we able to provide precise borders and a systematic analysis, but we also demonstrate the robustness of our proof techniques.

1. Introduction

Decision problems for Petri nets. Petri nets are among the oldest families of generators of infinite state systems, and much effort has been dedicated to their algorithmic analysis. For Petri nets, the reachability problem is hard but decidable [35]. Further important prob- lems that are specific to Petri nets and that were shown decidable are boundedness [29, 38], deadlock-freeness and liveness [20] (by reduction to reachability), persistence [18], and semi- linearity [22]. Hack’s thesis [20] provides a comprehensive overview of problems equivalent to Petri net reachability. On the negative side, language equality is undecidable for labelled Petri nets [21, 1], but it can be decided for injectively labelled as well as for labelled and deterministic Petri nets [37] (by a reduction to reachability). Another undecidability result for Petri nets, obtained by Rabin [4] and Hack [21], is that equality of reachability sets of two Petri nets with identical places is undecidable. As our main contribution, we link this result to first-order logic expressing properties of general Petri net reachability graphs.

1998 ACM Subject Classification: F.1.1, F.4.1.

Key words and phrases: Petri nets, First order logic, Reachability graph.

∗

A short version of this paper was published at FSTTCS 2011.

LOGICAL METHODS

lIN COMPUTER SCIENCE DOI:10.2168/LMCS-8(4:9)2012

c P. Darondeau, S. Demri, R. Meyer, and C. Morvan CC Creative Commons

We provide a robust proof schema that entails undecidability of most logical fragments interpreted on such graphs.

Our motivations. For Petri nets, model checking CTL formulae with atomic propositions of the form p > 0 (place p contains at least one token) is known to be undecidable [13].

This negative result carries over to all fragments of CTL containing the modalities EF or AF. Furthermore, model checking CTL without atomic propositions but with next- time modalities indexed by action labels is undecidable too [13]. In contrast, LTL model- checking over vector addition systems with states is ExpSpace -complete [19] when atomic propositions refer to control states.

These negative results do not compromise the search for decidable fragments of first- order logic that describe, only purely graph-theoretically, the shape of the Petri net state graphs. So we intentionally avoid edge labels and atomic propositions interpreted on mark- ings. As an example, we shall consider the first-order structure ( N ⁿ , − →) derived from a Petri net N with n places such that M − → M ^′ iff M evolves to M ^′ by firing a transition of N . Since ( N ⁿ , − →) is an automatic structure, its first-order theory over predicates − → and = is decidable, see e.g. [6]. This decision procedure can be extended to Petri net state graphs with Presburger-definable predicates on markings and with labels on transitions. As a second example of results related to our work, given a formula ϕ in FO(− →, =) with free variables x 1 , . . . , x m , one can effectively construct a Presburger formula that characterizes exactly the markings satisfying ϕ in ( N ⁿ , − →).

However, it is unclear what happens if we consider the first-order theory of − → over the practically interesting structure (Reach(N ), − →). Here, Reach(N ) denotes the set of all markings reachable from the initial marking of Petri net N . Our paper studies this problem.

We investigate the decidability status of several first-order logics, sometimes extended by a bit of MSO (via reachability predicates), sharing with [40] a common motivation. The properties of the reachability graph we are interested in are purely graph-theoretical in that they do not refer to tokens or transition labels and they are mostly local in that we often restrict ourselves to − → instead of its transitive closure. As summarised in Table 1 (Section 5) we settle the decidability status of most problems. To the best of our knowledge, this is the first study of logics for the reachability graph. In particular, related logics in [3] consider quantitative properties on markings and transitions, and evaluate formulae on runs. We do not refer to tokens or to transition labels.

Our contributions. We investigate the model-checking problem over structures of the form (Reach(N ), − →, − →) generated from Petri nets ^∗ N with first-order languages including pred- icate symbols for − → and/or − →. We consider variants depending on the predicates and ^∗ on whether Reach(N ) or − → ^∗ are effectively semilinear. This allows us to provide a refined analysis about the decidability borders for such problems. As it is a classical fragment of first-order logic, we also consider the modal language ML(, ⁻¹ ) with forward and backward modalities. Let us mention some features of our investigation:

(1) Undecidability proofs are obtained by reduction from the equality problem (or the in-

clusion problem) between reachability sets defined by Petri nets, shown undecidable

in [4, 21]. We demonstrate that our proof schema is robust and can be adapted to

numerous formalisms specifying local properties as in first-order logic. Moreover, un-

decidability can be obtained even for a fixed formula (i.e., for a fixed property).

(2) To determine the cause of undecidability, we investigate logical fragments. At the same time, we strive for maximally expressive decidable fragments. With these two goals, our study on graph-theoretical properties is quite systematic.

(3) For decidable problems, we assess the computational complexity — either relative to standard complexity classes such as PSpace or ExpSpace or by establishing a reduction from the reachability problem for Petri nets (when decision procedures rely on solving instances of this problem).

Our main findings are as follows (refined statements can be found in the body of the paper, see also Table 1 in Section 5):

⋆ Model-checking (Reach(N ), − →) [resp. (Reach(N ), − →), (Reach(N ^∗ ), − →)] is undecidable for ⁺ the corresponding first-order language with a single binary predicate symbol.

⋆ Undecidability is also shown for the positive fragment of FO(− →), for the forward frag- ment of FO(− →), and for FO(− →) augmented with − →. The latter result even holds if the ^∗ reachability sets are effectively semilinear.

⋆ Combining procedures for coverability and reachability in Petri nets, we obtain some positive results. We prove that model-checking the existential fragment of FO(− →) is decidable, but as hard as the reachability problem for Petri nets. Moreover, the model checking problem is decidable for FO(− →, − →, ^∗ =) under the assumption that the relations

−

→ and − → ^∗ are semilinear (consequence of [6]). We have not found any decision result between these two extremes.

⋆ Concerning the modal language ML(, ⁻¹ ), the global model-checking problem on (Reach(N ), − →) is undecidable but it becomes decidable when restricted to ML() (even if extended with Presburger-definable predicates on markings); the latter problem is also as hard as the reachability problem for Petri nets.

One may regret that our main results turn towards undecidability but this was not clear at all when we began our study. On the positive side, we were able to identify non-trivial fragments for which the decision problems can be of high computational complexity. Our results shed some new light on the verification of structural properties on unlabelled net reachability graphs.

Structure of the paper. The remaining sections are organized as follows. Section 2 brings the background of the study. Section 3 presents results that focus on the reachability graph without the reachability predicate. Section 4 presents those involving the reachability predicate.

2. Preliminaries

We recall basics on Petri nets and semilinear sets and we give the standard definitions

and fundamental results used in the paper. We first introduce the notations needed when

considering Petri net reachability graphs as models for first-order sentences. Then, we define

first-order logic and modal logic interpreted on graphs induced by Petri nets. Finally, we

present positive decidability results about model-checking problems.

2.1. Petri nets. A Petri net is a bi-partite graph N = (P, T, F, M ₀ ), where P and T are finite disjoint sets of places and transitions, and F : (P × T ) ∪ (T × P ) → N is a set of directed edges with non-negative integer weights. A marking of N is a function M : P → N . M ₀ is the initial marking of N . A transition t ∈ T is enabled at a marking M, written M [ti, if M (p) ≥ F (p, t) for all places p ∈ P . If t is enabled at M then it can be fired. This leads to the marking M ^′ defined by M ^′ (p) = M (p) + F (t, p)−F (p, t) for all p ∈ P . The firing relation is denoted by M[tiM ^′ . The definitions are extended to transition sequences s ∈ T ^∗ in the expected way. A marking M ^′ is reachable from a marking M if M[siM ^′ for some s ∈ T ^∗ . A transition t is in self-loop with a place p iff F (p, t) = F (t, p) > 0. A transition is neutral if it has null effect on all places. The reachability set Reach(N ) of N is the set of all markings that are reachable from the initial marking.

Theorem 2.1. [35] Given a Petri net N and two markings M and M ^′ , one can decide whether M ^′ is reachable from M .

Theorem 2.2. [4, 21] Given two Petri nets N and N ^′ , it is undecidable whether Reach(N ) = Reach(N ^′ ) [resp. Reach(N ) ⊆ Reach(N ^′ )].

A stronger version of Theorem 2.2 has been established in [28] where it was shown that undecidability still holds when N and N ^′ have five places and one of these nets is fixed.

A Petri net N = (P, T, F, M 0 ) induces several standard structures on which first-order logics may be interpreted. The plain unlabelled reachability graph of N is the structure PURG(N ) = (D, − →) where D = Reach(N ) and − → is the binary relation on D defined by M − → M ^′ if M[tiM ^′ for some t ∈ T . Note that M ₀ ∈ D but no predicate is given to identify this specific marking. The unlabelled reachability graph of N is the structure URG(N ) = (D, init, − →, − →, ^∗ − →, ⁺ =) where init = {M ₀ }, and relations − → ^∗ and − → ⁺ are the iterative and strictly iterative closures of − →, respectively. The unlabelled transition graph of N is the structure UG(N ) = ( N ^P , init, − →, − →, ^∗ − →, ⁺ =) where M − → M ^′ if M[tiM ^′ for some transition t ∈ T . Note that reachability of markings is not taken into account in UG(N ).

In the sequel, by default card(P ) = n and we identify N ^P and N ⁿ . We also call 1-loop an edge M − → M ^′ with M = M ^′ .

2.2. Petri nets and semilinear sets. We rely on results about the semilinear subsets of N ⁿ that represent possible markings of a Petri net with n places. Recall that ( N ⁿ , +) is a commutative monoid where the product operation is the componentwise addition of n-vectors (+) and the neutral element is the null n-vector.

A subset E ⊆ N ⁿ is called linear if it can be expressed as x + {y ₁ , . . . , y _m } ^∗ for vectors

x ∈ N ⁿ and y ₁ , . . . , y m ∈ N ⁿ . The Kleene iteration {y ₁ , . . . , y m } ^∗ is a shorthand notation

for k ₁ y ₁ + . . . + k _m y _m for some k ₁ , . . . , k _m ∈ N . A subset E ⊆ N ⁿ is semilinear if it is

a finite union of linear subsets. Owing to the commutativity of the product operation

+, semilinear subsets of N ⁿ coincide with the regular subsets of N ⁿ . Hence, they are

generated by finite automata over N ⁿ . Indeed, one can always choose finite automata

whose transitions are labelled with generators, i.e., with n-vectors with a single non-null

entry equal to 1. The semilinear subsets of N ⁿ form an effective Boolean algebra [16],

hence providing decision procedures for emptiness. In [17], Ginsburg and Spanier gave an

effective correspondence between semilinear subsets and Presburger subsets, i.e., subsets

of N ⁿ definable in Presburger arithmetic. Presburger arithmetic can be decided in triple

exponential time [8].

Proposition 2.3. Given a Petri net N = (P, T, F, M ₀ ) and a semilinear subset of markings E ⊆ N ^{|P |} , one can decide whether (some marking in) E can be reached from M ₀ .

Hack reduced this semilinear reachability problem to the reachability problem in Petri nets [21, Lemma 4.3]. The proposition now follows with the decidability of reachability in Theorem 2.1. The statement shows in particular that for any marking M ∈ N ^{|P |} , one can decide whether a marking greater than or equal to M is reachable.

We recalled in the introduction that it is decidable whether the reachability set of a Petri net system is semilinear. Note that semilinearity of the reachability set Reach(N ) does not entail semilinearity of the reachability relation − → ⊆ ^∗ Reach(N ) × Reach(N ) ⊆ N ^{|P |+|P |} . Here are some classes of Petri nets and counter systems for which the reachability relation

− ∗

→ is effectively semilinear (apart from bounded Petri nets):

⋆ Cyclic Petri nets, see e.g. [2, 9, 32].

⋆ Communication-free Petri nets [12].

⋆ Vector addition systems with states of dimension 2 [25, 33].

⋆ Single-path Petri nets [26].

⋆ Petri nets with regular languages [41].

⋆ Flat affine counter systems with the finite monoid property [7, 14].

⋆ Flat relational counter systems [11, 10].

⋆ Reversal-bounded counter systems [27].

Some of these results require complex machinery but they are essential to use the decision procedures based on effective semilinearity.

2.3. First-order languages. To specify properties of structures URG(N ), PURG(N ) and UG(N ) obtained from a Petri net N , we introduce a first-order logic FO with atomic predicates x − → y, x − → ^∗ y, x − → ⁺ y and init(x). Formulae in FO are defined by

x − → y | x − → ^∗ y | x − → ⁺ y | init(x) | x = y | ¬ϕ | ϕ ∧ ϕ | ∃ x ϕ | ∀ x ϕ.

Given a set P of predicate symbols from the above signature, we denote the restriction of FO to the predicates in P by FO( P ). By default, FO refers to the full language. Formulae are interpreted either on PURG(N ), URG(N ) or UG(N ). Observe that FO on UG(N ) enables, using init and reachability predicates, to relativize formulae to URG(N ), but restricted logical languages motivate the existence of both structures. It is worth noting that by slight abuse, we sometimes use the same notation for a predicate symbol and its fixed interpretation. Note that, as regards interpretation, − → ^∗ = (= ∪ − →) and ⁺ − → ⁺ = (− → ◦ − →), hence ^∗ FO(init, − →, − →, ⁺ =), FO(init, − →, − →, ^∗ =), and FO(init, − →, − →, ⁺ − →, ^∗ =) are equally expressive.

FO indicates that one can quantify over markings. Note that predicates − → ⁺ or − → ^∗ exceed the expressiveness of usual first-order logics on graphs. We omit the standard definition of the satisfaction relation U , v | = ϕ with U a structure (PURG(N ), URG(N ) or UG(N )) and v a valuation of the free variables in ϕ. For example, ∀x ϕ holds true whenever the formula ϕ holds true for all elements (markings) of the considered structure. Sentences are closed formulae, i.e., without free variables. If U | = ϕ then U is called a model of ϕ.

It is worth noting that FO can only describe graph-theoretical properties of the struc-

tures U , apart from equality tests. The binary relations do not use transitions of nets as

labels and no atomic propositions give reference to markings. As a consequence, quantita-

tive properties about markings cannot be expressed in FO, at least in the obvious way, and

constraints about the firing of specific transitions cannot be expressed either. Note that FO is not minimal when it comes to expressiveness. The redundancies, however, help us design interesting logical fragments.

In the sequel, we consider several model-checking problems. The model-checking problem MC ^URG (FO) is stated as follows:

input:: a Petri net N = (P, T, F, M ₀ ) and a sentence ϕ ∈ FO question:: URG(N ) | = ϕ?

The variant MC ^UG (FO) is:

input:: a Petri net N = (P, T, F, M 0 ) and a sentence ϕ ∈ FO question:: UG(N) | = ϕ?

The logics FO( P ) (atomic formulae restricted to predicates in P ) induce restricted variants of the two model checking problems that we denote by MC ^URG (FO( P )) and MC ^UG (FO( P )), respectively. Formulae in FO can express standard structural properties, for instance deadlock-freeness with ∀x ∃y x − → y, existence of a 1-loop with ∃x x − → x, or cyclicity with ∀x∀y x − → ^∗ y ⇒ y − → ^∗ x. Automatic structures form a large class of structures having a decidable model checking problem for FO. These structures have presentations in which k-ary relations are defined by synchronous automata (see [6] for more details).

Theorem 2.4. [6] Let S be an automatic structure, then MC ^S (FO) is decidable.

From [16], semilinear sets and semilinear relations are automatic. In particular, this means that ( N ⁿ , − →, =) is automatic. Propositions 2.5, 2.6 and 2.7 are consequences of Theorem 2.4; they are provided below to present more explicitly what is the current state of knowledge.

Proposition 2.5. MC ^UG (FO(− →, =)) is decidable.

Note that given ϕ in FO(− →, =), one can effectively build a Presburger formula that char- acterizes exactly the valuations satisfying ϕ in UG(N ). Decidability is preserved with Presburger-definable properties on markings and with labelled transition relations [ti. How- ever, having N ⁿ as a domain does not always guarantee decidability, see the undecidability result in [40, Theorem 2] about a structure with domain N ⁿ but equipped with succes- sor relations for each dimension and with reachability predicates constrained by regular languages. Likewise, subproblems of MC ^URG (FO) may require additional assumptions to achieve decidability, as the semilinearity assumption made in the statement below. The proposition also follows from Theorem 2.4.

Proposition 2.6. Let C be a class of Petri nets for which the restriction on reachable markings of the reachability relation x − → ^∗ y is effectively semilinear. Then, MC ^URG (FO) restricted to C is decidable.

Proof. Let N = (P, T, F, M 0 ) be a Petri net in C with card(P ) = n. We represent its markings by vectors M ∈ N ⁿ . By assumption, Reach(N ) and the set {(M, M ^′ ) | M, M ^′ ∈ Reach(N ) and M − → ^∗ M ^′ } are effectively semilinear. Similarly, the set {(M, M ) | M ∈ Reach(N )} is effectively semilinear. Define ∆ = {(M, M ^′ ) | M, M ^′ ∈ Reach(N ) and M − → ^∗ M ^′ , M 6= M ^′ }. Then ∆ is effectively semilinear. Let ∆ ² = {(M, M ^′ ) | (∃M ^′′ ) (M, M ^′′ ) ∈

∆ and (M ^′′ , M ^′ ) ∈ ∆}. As semilinear sets are closed under projection (quantifier elimination

in Presburger arithmetic), ∆ ² is effectively semilinear. Now {(M, M ^′ ) | M ∈ Reach(N ) and

M − → ⁺ M ^′ } is equal to ∆∪∆ ² . Hence this set is effectively semilinear. Therefore, through the effective correspondence between semilinear sets and sets definable in Presburger arithmetic, any sentence ϕ of FO translates to a sentence ϕ ^′ of Presburger arithmetic logic such that URG(N ) | = ϕ if and only if ϕ ^′ is true. The proposition follows from the decidability of Presburger arithmetic [39].

When reachability sets are effectively semilinear but the reachability relation is not, the strictly less expressive logical fragment FO(− →, =) remains decidable, from Theorem 2.4.

Proposition 2.7. Let C be a class of Petri nets N for which Reach(N ) is effectively semi- linear. Then, MC ^URG (FO(− →, =)) restricted to C is decidable.

Proof. Consider a Petri net N = (P, T, F, M ₀ ) in C. Assume the Presburger formula ϕ(x ₁ , . . . , x n ) characterizes Reach(N ) where |P | = n. There is a second Presburger for- mula ϕ ^′ (x ₁ , . . . , x _n , x ^′ ₁ , . . . , x ^′ _n ) that characterizes the binary relation − → in UG(N ).

Given a sentence ψ in FO(− →, =), one can build a sentence f(ψ) in Presburger arithmetic such that URG(N ) | = ψ iff f (ψ) is satisfiable in Presburger arithmetic. The map f(·) is homomorphic for Boolean connectives. Furthermore,

⋆ f (z − → z ^′ )

= ϕ ^′ (z ₁ , . . . , z n , z ^′ ₁ , . . . , z ^′ _n ),

⋆ f (z = z ^′ )

= V

i∈[1,n]

z i = z ^′ _i ,

⋆ f (∀z χ)

= ∀z ₁ , . . . , z n (ϕ(z ₁ , . . . , z n ) ⇒ f (χ)).

To evaluate predicate − →, we resort to ϕ ^′ . With ϕ, we relativize the quantifiers to taking only positions in Reach(N) into account.

Again, decidability is preserved with Presburger-definable properties on markings and with labelled transition relations of the form − →. To give an example application of this ^t result, MC ^URG (FO(− →, =)) restricted to cyclic Petri nets is decidable. This follows from Proposition 2.7 combined with the fact that cyclic Petri nets have semilinear reacha- bility sets [9]. The restriction to language FO(− →, =) is essential for the decidability in Proposition 2.7. As we shall see in Proposition 4.5, the related model checking problem MC ^URG (FO(− →, − →)) is undecidable — even under the assumption of semilinearity for the ^∗ reachability sets.

2.4. Standard first-order fragments: modal languages. By moving along edges, modal languages provide a local view to (potentially labelled) graph structures. Note the contrast to first-order logic in which one quantifies over any element of the structure. Appli- cations of modal languages include modelling temporal and epistemic reasoning, and they are central for designing logical specification languages. In this paper, we consider sim- ple modal languages understood as distinguished fragments of first-order logic. Moreover, the modal language ML defined below has no propositional variable (like Hennessy-Milner modal logic [23] but unlike standard modal logic K [5]) and no label on modal operators (unlike in modal languages dedicated to describing labelled transition systems). This allows us to interpret modal formulae on directed graphs of the form (Reach(N ), − →). However, in some places, we shall indicate when decidability or complexity results can be extended to richer versions of ML. The modal formulae in ML are defined by the grammar

⊥ | ⊤ | ¬ϕ | ϕ ∧ ψ | ϕ | ♦ϕ | ⁻¹ ϕ | ♦ ⁻¹ ϕ.

This language is not only poor compared to first-order logic, but also little expressive compared to other modal dialects. Yet, it is sometimes sufficiently expressive to obtain first undecidability results for model checking Petri net structures. Given a modal formula ϕ, its modal degree is the greatest number of nested occurrences of modal operators in ϕ. We write ML() to denote the restriction of ML to the modal operators and ♦. We interpret modal formulae on directed graphs of the form (D, − →) for some Petri net N = (P, T, F, M ₀ ) with URG(N ) = (D, init, − →, − →, ^∗ − →, ⁺ =). We provide the definition of the satisfaction relation

| = relatively to an arbitrary directed graph M = (W, R) (and w ∈ W ). The clauses for Boolean connectives and logical constants are standard and we omit them. For the modal operators, we set

⋆ M, w | = ϕ

⇔ for every w ^′ ∈ W such that (w, w ^′ ) ∈ R, we have M, w ^′ | = ϕ.

⋆ M, w | = ♦ϕ

⇔ there is w ^′ ∈ W such that (w, w ^′ ) ∈ R and M, w ^′ | = ϕ.

⋆ M, w | = ⁻¹ ϕ

⇔ for every w ^′ ∈ W such that (w ^′ , w) ∈ R, we have M, w ^′ | = ϕ.

⋆ M, w | = ♦ ⁻¹ ϕ

⇔ there is w ^′ ∈ W such that (w ^′ , w) ∈ R and M, w ^′ | = ϕ.

As usual, and ♦ as well as ⁻¹ and ♦ ⁻¹ are dual operators that can be defined one from another as soon as negation is part of the language.

The model-checking problem MC ^URG (ML) is the following:

input:: a Petri net N = (P, T, F, M ₀ ) and a modal formula ϕ ∈ ML.

question:: (Reach(N ), − →), M ₀ | = ϕ?

Let MC ^URG (ML()) denote MC ^URG (ML) restricted to ML(). Proposition 2.8 proves this model checking problem decidable. The procedure exploits the fact that a modal formula of modal degree d can only induce constraints on nodes at distance at most d from the initial marking, a standard argument, see e.g. [5].

Proposition 2.8. MC ^URG (ML( )) is decidable and PSpace -complete.

Proof. Consider a Petri net N = (P, T, F, M ₀ ) with URG(N ) = (D, init, − →, − →, ^∗ − →, ⁺ =). Let ϕ be a modal formula in ML() with modal degree d (d is the greatest number of nested occurrences of modal operators in ϕ). We consider the directed graph M = (W, R) so that

⋆ W ⊆ N ^P and R is the restriction of − → to W .

⋆ For M ∈ N ^P we set M ∈ W

⇔ there is a sequence of transitions s of length at most d such that M ₀ [siM.

Observe that M is finite and the cardinal of W is at most exponential in the size of N and d. One can show that M, M ₀ | = ϕ iff (D, − →), M ₀ | = ϕ. Hence, MC ^URG (ML()) is decidable, because the model-checking problem for ML over finite structures is decidable (in polynomial time). The PSpace upper bound can be obtained with an algorithm similar to the one that shows CTL model-checking over 1-safe Petri nets to be in PSpace , see e.g. [13, Section 4.2]. Our problem is actually simpler since we can restrict ourselves to the temporal operators AX and EX corresponding to and ♦, respectively. We briefly describe below the nondeterministic algorithm M C ((P, T, F, M ₀ ), ϕ) that returns true whenever (D, − →), M ₀ | = ϕ. We proceed by a case analysis.

ϕ = ⊤ return true ;

ϕ = ¬ϕ ^′ : if M C ((P, T, F, M 0 ), ϕ ^′ ) then return false else return true ;

ϕ = ϕ ₁ ∧ ϕ ₂ : if M C ((P, T, F, M ₀ ), ϕ ₁ ) and M C ((P, T, F, M ₀ ), ϕ ₂ ) then return true else return false ;

ϕ = ϕ ^′ : if for some M ^′ such that M ₀ − → ^t M ^′ with t ∈ T we have M C((P, T, F, M ^′ ), ϕ ^′ ) = false then return false else return true .

Note that the depth of recursive calls for M C ((P, T, F, M ₀ ), ϕ) is bounded by the modal degree of ϕ and each call requires only polynomial space in the size of (P, T, F, M 0 ) and ϕ. Hence, M C((P, T, F, M ₀ ), ϕ) runs in nondeterministic polynomial space. By Savitch Theorem, we get the bound PSpace .

To establish PSpace -hardness, we give a reduction from QBF. Let Q ₁ p ₁ · · · Q _2n p _2n ψ be a QBF formula where Q ₁ · · · Q _2n is a sequence of quantifiers starting with Q ₁ = ∃, alternating strictly ∃ and ∀, and ψ is a quantifier-free propositional formula built over the propositional variables in {p ₁ , . . . , p _2n }. We consider a modal formula ϕ of the form ( ♦ ) ⁿ ψ ^′ where ψ ^′ is obtained from ψ by replacing each propositional variable p i by ♦ ⁱ ⊥.

Construct a Petri net N = (P, T, F, M ₀ ) as follows. The set of places P contains a subset {p 1 , . . . , p _2n }, in bijection with the atomic propositions and initially empty, plus auxiliary places. From M ₀ , N executes first a sequence of 2n independent choices (t ^′ ₁ + t ^′′ ₁ ) · (t ^′ ₂ + t ^′′ ₂ ) · . . . · (t ^′ _2n + t ^′′ _2n ) where t ^′ _i puts i tokens in place p _i to represent the truth of the corresponding atomic proposition while t ^′′ _i puts no tokens in p i to indicate the proposition does not hold.

After this sequence of binary choices, N executes a non-deterministic choice (x ₁ + · · · + x _2n ) where x _i removes one token from p _i and puts one token in a place p ^′ _i which was initially empty. Each control place p ^′ _i is set in self-loop with a transition t i that removes at each firing one token from p _i .

Existential quantifications are replaced by ♦, and universal ones by . A path relative to a formula (♦) ⁿ then ends up in a configuration where truth values have been chosen for all variables. Note that the formula needs to be true for one continuation at each ♦ position and true for each continuation at positions. The last part of the formula needs to check the truth values of individual variables. For each p i , we have a formula ♦ ⁱ ⊥ that is true only when there is precisely a path of length i, which corresponds to our encoding of truth values. The selection of each individual variable (and only one) is performed by the transition (x ₁ +· · ·+x _2n ). Altogether, (Reach(N ), − →), M ₀ | = (♦) ⁿ ψ ^′ iff Q ₁ p ₁ · · · Q _2n p _2n ψ is satisfiable. Note that Reach(N ) is finite.

For simple models (like finite structures), adding ⁻¹ to ML( ), often does not change the decidability status or the computational complexity of model checking, see e.g. [5].

When it comes to Petri net reachability graphs PURG(N ), adding the backward operator ⁻¹ preserves decidability but at the cost of performing reachability checks.

Proposition 2.9. MC ^URG (ML(, ⁻¹ )) is decidable.

Proof. Consider a Petri net N = (P, T, F, M ₀ ) with URG(N ) = (D, init, − →, − →, ^∗ − →, ⁺ =). Let ϕ be a modal formula in ML( , ⁻¹ ) of modal degree d. Define N = (P, T ∪ T ⁻¹ , F, M ₀ ) where T ⁻¹ is a set of formal inverses of the transitions in T , i.e., F (p, t ⁻¹ ) = F (t, p) and F (t ⁻¹ , p) = F(p, t) for all t ∈ T . To model check URG(N ) against ϕ, the idea is to consider a depth d unrolling of URG(N ). However, when following inverse transitions M ^′ [t ⁻¹ iM, reachability checks are needed to guarantee the target marking M belongs to the domain D of structure URG(N ). These checks are effective by Theorem 2.1 quoted from [35, 30, 31].

More formally, we consider the directed graph M ^′ = (W ^′ , R ^′ ) defined by

⋆ W ^′ ⊆ N ^P and R ^′ is the restriction of − → to W ^′ .

⋆ For M ∈ N ^P we set M ∈ W ^′

⇔ (a) M ∈ D,

(b) there is a sequence of transitions s ∈ (T ∪ T ⁻¹ ) ^∗ of length at most d such that M ₀ [siM .

Checking M ₀ [siM is easy whereas M ∈ D requires a reachability check. Observe that M ^′ is finite and effectively constructible. The cardinal of W ^′ is exponential in d. One can show that M ^′ , M ₀ | = ϕ iff (D, − →), M ₀ | = ϕ. Hence, MC ^URG (ML(, ⁻¹ )) is decidable, because model-checking ML over finite structures is a decidable problem that takes polynomial time.

The best known decision procedures for Petri net reachability are non primitive re- cursive, which provides the worst possible and hopefully not tight upper bound to the complexity of the model-checking problem MC ^URG (ML( , ⁻¹ )). Unfortunately, it might well be the case that this upper complexity bound is tight, for we shall (in turn) reduce Petri net reachability to the above model-checking problem in Section 3.4.

We introduce another decision problem about ML that is closely related to first-order model-checking over reachability graphs. The validity problem VAL ^URG (ML), also known as global model-checking, is stated as follows:

input:: a Petri net N = (P, T, F, M ₀ ) that induces the structure URG(N ) = (D, init, − →, − →, ^∗ − →, ⁺ =), and a modal formula ϕ ∈ ML.

question:: (D, − →), M | = ϕ for every marking M ∈ D ?

As observed earlier, formulae from ML(, ⁻¹ ) can be viewed as first-order formulae in FO(− →). Therefore, using modal languages in specifications is a way to consider fragments of FO(− →). Indeed, given a modal formula ϕ in ML( , ⁻¹ ), one can compute in linear time a first-order formula ϕ ^′ with only two individual variables (see e.g. [5]) that satisfies:

for every Petri net N we have PURG(N ) | = ϕ ^′ iff PURG(N ), M | = ϕ for every marking M in Reach(N ). Hence, the validity problem VAL ^URG (ML) appears as a natural counterpart to the model-checking problem for FO over unlabelled reachability graphs of Petri nets. We will see in the next section that both problems are undecidable.

We conclude the section by introducing an extension of ML that admits quantifier-free formulae from Presburger arithmetic as atomic propositions. The idea is to pose arithmeti- cal constraints on the numbers of tokens in places, and thus to increase the expressiveness of ML. We call this logic PAML and it will be mainly used in decidability results in Sec- tion 3.3. The domain of the structure for PAML needs to be of the form N ^P . More precisely, with terms t ::= a × p | t + t where p is a place and a ∈ Z we define PAML from ML by adding atomic formulae ψ defined by

ψ ::= ⊤ | t ≤ k | t ≥ k | t ≡ c k ^′ | ψ ∧ ψ | ¬ψ.

Here, ⊤ is the truth constant, c ∈ N \ {0, 1}, k ∈ Z and k ^′ ∈ N . The definition of

(Reach(N ), M ) | = ψ depends on the definition of satisfaction of ψ in Presburger arithmetic

by a tuple M. The details are as expected and we omit them here. It can be shown that

MC ^URG (PAML(, ⁻¹ )) is decidable. The proof is similar to the proof of Proposition 2.9.

3. Structural Properties of Unlabelled Net Reachability Graphs We study the decidability status of model checking unlabelled reachability graphs of Petri nets against the first-order and modal logics defined in the previous section. Recall that the logics are designed to expressing purely graph-theoretical properties of reachability graphs.

3.1. A proof schema for undecidability of FO(− →). To establish undecidability of MC ^URG (FO(− →)), model checking reachability graphs against first-order specifications, we provide a reduction of the equality problem for reachability sets. For two Petri nets N ₁ and N ₂ with identical sets of places, Hack proved it to be undecidable whether the sets of reachable markings Reach(N ₁ ) and Reach(N ₂ ) coincide (Theorem 2.2 recalls this result from [21]). To encode the equality problem into a first-order model checking problem, we join N ₁ and N ₂ in a third Petri net N . The construction ensures that equality of the reach- ability sets can be checked with a first-order query: Reach(N ₁ ) = Reach(N ₂ ) if and only if PURG(N ) | = ϕ. Interestingly, ϕ is a fixed formula and thus independent of the inputs N ₁ and N ₂ . Before we turn to the technicalities, we sketch the idea of the construction and comment on why it yields so much expressiveness. With an initial guess, N decides to simulate either N ₁ or N ₂ . At any time, N may stop the simulation. Then N either starts behaving in different ways according to the initial choice between N ₁ and N ₂ . Alternatively, N may forget this choice and enter a deadlock marking M that reflects the last marking of N ₁ or N ₂ in the simulation.

The reachability sets of N ₁ and N ₂ are equal if and only if every simulation result M can be obtained from both, N ₁ and N ₂ . But inspecting M in isolation does not reveal whether it stemmed from N ₁ or N ₂ . The idea is in the different behaviours that recall the initial guess when the simulation ends. They yield a neighbourhood of M in the reachability graph of N that reveals the origin of the marking. Indeed, with finite experiments we can check whether M is found in the simulation of N ₁ or N ₂ . Equality of the reachability sets is then checked by a formula ϕ which requires that, for any simulation result M , both experiments witnessing for N ₁ and N ₂ succeed. The experiments consist of one backward transition and some forward transitions. Backward transitions reconstruct the initial choice, and forward transitions distinguish the nets N ₁ and N ₂ .

The strength of this construction stems from the combination of two ideas. A Petri net can (i) store choices over arbitrarily long histories and (ii) reveal this propagated infor- mation in local structures. These structures can be characterised by finite back and forth experiments that are expressed in terms of first-order formulae.

Construction. The two nets N ₁ and N ₂ to be compared for equality of reachability sets share all places. The constructed net, N , has these places together with an initialization place p, two control places p ₁ and p ₂ , and additional places p ^′ ₁ , p ^′′ ₁ , and p ^′ ₂ that we will elaborate on below. The initialization place is the only place that is initially marked, by a single token.

As transitions, N has the disjoint union of the transitions of N ₁ and N ₂ , plus additional transitions that we introduce now together with an explanation of their intended behaviour.

The original transitions are put in self-loop with the respective control places. Furthermore,

we have two concurrent transitions t ¹ _c , t ² _c that consume the initial token and mark either p ₁

and all places marked in the initial configuration of N ₁ or p ₂ and all places marked in the

initial configuration of N ₂ . Firing t ¹ _c starts the simulation of N ₁ , and similar for t ² _c . Each

subnet N ₁ and N ₂ may be stopped at any time by firing transitions t ¹ _end and t ² _end that move

the token from the control place p ₁ or p ₂ to the place p ^′ ₁ or p ^′ ₂ , respectively. As a result, the token count on the places of N ₁ and N ₂ is not changed any more.

When the transitions t ¹ _end and t ² _end have been fired, N behaves as indicated in Figure 3.1 below M ₁ and M ₂ , respectively. At a marking M ₁ , place p ^′ ₁ enables a transition t ¹ _ℓ which puts a token on p ^′′ ₁ , depicted by M in the figure. The place enables a transition t _sl in self-loop. Furthermore, two transitions t ¹ _dl and t ² _dl (from M ₁ to M _ℓ and from M ₂ to M _r ) empty the places p ^′ ₁ and p ^′ ₂ . The markings reached by these transitions are designed to be deadlocks. Moreover, by construction of N , deadlock markings can only be reached this way (as M _ℓ or M _r or both). Since, firing t ¹ _dl or t ² _dl lets N forget the index 1 or 2 of the net that was simulated, we have the following relationship. Whenever a marking M is reached both in N ₁ and N ₂ , the corresponding markings in N lead to M _ℓ = M r

N

N

M

M

M

M M

M

t

t

t

t

t

t

t

t

Figure 3.1: Reachability graph of N

A formula expressing equality of the reachability sets of N ₁ and N ₂ (without recycling variables) is defined hereafter:

ϕ

= ∀ z (¬∃z ^′ z → z ^′ ) ⇒ (∃z ₁ z ₁ → z ∧ ϕ l (z ₁ )) ∧ (∃z ₂ z ₂ → z ∧ ¬ϕ l (z ₂ ))

Formula ϕ l (x)

= ∃ y (x − → y ∧ y − → y) indicates that x has a successor that has a 1-loop.

Lemma 3.1. Reach(N ₁ ) = Reach(N ₂ ) if and only if PURG(N ) | = ϕ.

Proof. For the implication from left to right, consider a deadlock M. Marking M is reachable only via t ¹ _dl or t ² _dl , say M ₁ [t ¹ _dl iM . Then marking M ₁ satisfies ϕ l and stems from a marking M ₁ ^′ [t ¹ _end iM ₁ of N ₁ . The hypothesis on equal reachability sets yields a marking M ₂ ^′ of N ₂ that leads by transition t ² _end to a marking M ₂ satisfying ¬ϕ l as required.

In turn, if ϕ holds we establish two inclusions. To show Reach(N ₁ ) ⊆ Reach(N ₂ ),

consider marking M ₁ ^′ reachable via sequence s ₁ in N ₁ . In N , the marking can be prolonged

to a deadlock M with M ₀ ^′ [t ¹ _c iM ₀ ¹ [s ₁ iM ₁ ^′ [t ¹ _end iM ₁ [t ¹ _dl iM . Here, M ₁ satisfies ϕ l . But ϕ yields

another predecessor M ₂ of M with M ₂ 6= M ₁ . To avoid the 1-loop, marking M ₂ has to

result from a sequence M ₀ ^′ [t ² _c iM ₀ ² [s ₂ iM ₂ ^′ [t ² _end iM ₂ [t ² _dl iM . It is readily checked that M ₁ ^′ and

M ₂ ^′ coincide up to the token on the control place. Hence, M ₁ ^′ ∈ Reach(N 2 ) as required.

Corollary 3.2. MC ^URG (FO(− →)) is undecidable, already for the fixed formula ϕ given in this section.

By recycling variables in ϕ above, we get a sharp result that marks the undecidability border of model checking against FO(− →) by two variables. Model checking FO(− →) restricted to one variable is decidable.

Theorem 3.3. There exists a formula ϕ in FO(− →) with two individual variables such that MC ^URG (FO(− →)) restricted to ϕ is undecidable.

Proof. It is sufficient to observe that formula ϕ below

∀z (¬∃z ^′ z → z ^′ ) ⇒ (∃z ₁ z ₁ → z ∧ ϕ l (z ₁ )) ∧ (∃z ₂ z ₂ → z ∧ ¬ϕ l (z ₂ )) with ϕ l (x)

= ∃y (x − → y ∧ y − → y) is logically equivalent to the formula

∀z (¬∃z ^′ z → z ^′ ) ⇒ (∃z ^′ z ^′ → z ∧ ϕ ^′ l (z ^′ )) ∧ (∃z ^′ z ^′ → z ∧ ¬ϕ ^′ l (z ^′ )) where ϕ ^′ _l (z ^′ )

= ∃ z (z ^′ − → z ∧ z − → z). Recycling of variables is explained e.g. in [15].

Moreover, combined with the fact that model checking first order logic for automatic structures is decidable, Theorem 3.3 leads to the following impossibility result.

Corollary 3.4. There is no algorithm to construct an automatic graph isomorphic to the unlabelled reachability graph of a Petri net.

Note that this negative result cannot follow directly from complexity-theoretic consider- ations. Indeed, even if the unlabelled reachability graph of a Petri net could be represented as an automatic graph, this automatic graph could not be used to decide on reachability of markings unless this representation were in effective bijection with N ⁿ (where n is the number of places).

Restricted to a single variable, model checking FO(− →) becomes decidable.

Proposition 3.5. MC ^URG (FO(− →)) restricted to one individual variable is decidable.

Proof. Every sentence in FO(− →) restricted to one individual variable is logically equivalent either to ⊥, or to ⊤, or to a positive Boolean formula with atomic formulae of one of the forms below:

(1) ∃x (x − → x) (2) ∃x ¬(x − → x) (3) ∀x (x − → x) (4) ∀x ¬(x − → x).

Since (2) is the negation of (3) and (1) is the negation of (4), decidability is obtained by evaluating (1) PURG(N ) | = ∃x (x − → x) and (3) PURG(N ) | = ∀x (x − → x). (1) can be checked by solving one instance of the covering problem for each neutral transition of the net whereas (3) can be checked by solving a single instance of the reachability problem. Indeed, let T be the subset of transitions of the net that leave markings unchanged (neutral transitions).

Then the set of markings specified hereafter is effectively semilinear:

Z

= {M : not M [ti for all t ∈ T }

We have not PURG(N ) | = ∀ x (x − → x) iff there is a marking M ∈ Z that is reachable,

M ₀ − → ^∗ M . With [21, Lemma 4.3] this reduces to an instance of the reachability problem.

It is possible to play further with parameters. For instance, our undecidability proof uses several reachability graphs with constant formulae. It is open whether there is a fixed Petri net reachability graph for which the model-checking problem for FO(− →) is undecidable.

3.2. Robustness of the proof schema. Based on the previous proof schema, this section presents undecidability results for subproblems of MC ^URG (FO(− →)). More specifically, we consider the positive fragment, the forward fragment, the restriction when the direction of edges is omitted, and ML(, ⁻¹ ). For all these fragments, we establish undecidability of model checking.

3.2.1. Forgetting orientation. Let λ(x, x ^′ )

= (x − → x ^′ ) ∨ (x ^′ − → x). Expressing properties about PURG(N ) in FO(λ) amounts to getting rid of the direction of edges of this graph.

Despite this weakening, undecidability is still present for general Petri nets. To instan- tiate the above argumentation, we have to identify deadlock markings and analyse their environment. In FO(λ), we augment markings encountered during the simulation by 3- cycles. Then, the absence of 3-cycles and an environment without such cycles characterises deadlock markings.

Proposition 3.6. MC ^URG (FO(λ)) is undecidable.

Proof. We take advantage of the fact that FO(λ) can express that a node x belongs to an undirected cycle of length three. A possible formula is:

3cycle(x)

= ∃y∃z (λ(x, y) ∧ λ(y, z) ∧ λ(z, x)) ∧ ¬(λ(x, x) ∨ λ(y, y) ∨ λ(z, z))

Now consider two Petri nets N ₁ and N ₂ with identical sets of places. For 1 ≤ i ≤ 3, add to each net new places p _i and transitions t _i such that p ₁ contains initially one token, while p ₂ and p ₃ are empty. Transition t _i takes one token from p _i and puts one token in p _{i+1 mod 3} . The resulting Petri nets have identical reachability sets if and only if N ₁ and N ₂ have identical reachability sets. Therefore, equality of reachability sets is undecidable for nets in which every reachable marking belongs to some cycle of length three. Assuming that N ₁ and N ₂ have this property, let N be the net constructed from N ₁ and N ₂ as in the proof of Proposition 3.3 (see also Figure 3.1). We can assume without loss of generality that every transition of N ₁ and N ₂ changes the current marking (the other transitions do not affect the reachability sets and can be removed). As a consequence, the reachability graphs of the augmented nets N ₁ and N ₂ have no 1-loops, which is required for the effectiveness of 3cycle(x). The deadlock markings of N are then exactly the markings that have no cycle of length one or three and that are surrounded by nodes without cycles of length three:

dead(z)

= ¬λ(z, z) ∧ ¬3cycle(z) ∧ ∀x λ(z, x) ⇒ ¬3cycle(x).

Equality of the reachability sets of N ₁ and N ₂ is then expressed by the formula ϕ below

∀z dead(z) ⇒ (∃z ₁ λ(z, z ₁ ) ∧ ϕ _l (z ₁ )) ∧ (∃z ₂ λ(z, z ₂ ) ∧ ¬ϕ _l (z ₂ ))

where ϕ _l (z)

= ∃y λ(z, y) ∧ λ(y, y). We have Reach(N ₁ ) = Reach(N ₂ ) iff N | = ϕ. By

Theorem 2.2, MC ^URG (FO(λ)) is undecidable.

3.2.2. A well-known first-order fragment: ML(, ⁻¹ ). To establish undecidability of the problem VAL ^URG (ML( , ⁻¹ )), we again provide a reduction from the equality problem for Petri net reachability sets.

Proposition 3.7. VAL ^URG (ML(, ⁻¹ )) is undecidable.

Proof. Consider two Petri nets N ₁ and N ₂ with identical sets of places. We rely on the construction of N in Section 3.1, but give a modal formula ϕ (independent of N ₁ and N ₂ ) that yields the following equivalence: N ₁ and N ₂ have the same reachability set iff PURG(N ), M | = ϕ for every marking M in Reach(N ). For all deadlocks, there is one predecessor (from N ₁ ) that is able to do two more steps and another predecessor (from N ₂ ) that is not: ϕ

= ⊥ ⇒ (♦ ⁻¹ ♦♦⊤ ∧ ♦ ⁻¹ ⊥). Formula ϕ is semantically equivalent to the first-order formula ϕ _{f o} defined below:

∀z (¬∃z ^′ z → z ^′ ) ⇒ (∃z ₁ , z ₂ , z ₃ (z ₁ − → z) ∧ (z ₁ − → z ₂ ) ∧ (z ₂ − → z ₃ )) ∧ (∃z 1 (z 1 − → z) ∧ ∀z 2 , z 3 ¬((z 1 − → z 2 ) ∧ (z 2 − → z 3 ))).

This undecidability result is tight. In Section 3.3.2, we establish decidability of an extended variant of VAL ^URG (ML()) where the backward modality ⁻¹ is excluded. Moreover, by translating formulae in ML(, ⁻¹ ) to FO(− →) restricted to two individual variables, we get another evidence that MC ^URG (FO(− →)) restricted to two individual variables is undecidable.

3.2.3. FO(− →) restricted to positive or forward formulae. Although VAL ^URG (ML( , ⁻¹ )) and MC ^URG (FO(− →)) are undecidable in general, we have identified decidable fragments of modal logic in Section 2.4. By analogy, one may expect to find decidability of related fragments of first-order logic. We prove here that this is not the case. We consider forward FO(− →) and positive FO(− →) and show that their model checking problems are undecidable.

In a positive formula, atomic propositions occur only under the scope of an even number of negations. Let FO ⁺ ( P ) denote the set of positive first order formulae over predicates in P . Proposition 3.8. MC ^URG (FO ⁺ (− →)) is undecidable.

Proof. We rely on the previously introduced proof schema. Let N ₁ and N ₂ be two Petri nets and N their combination sketched in Figure 3.1. We propose a positive formula ϕ so that inclusion Reach(N ₂ ) ⊆ Reach(N ₁ ) holds if and only if PURG(N ) | = ϕ:

ϕ

= ∀z ∃z 1 ∃y ℓ ∃z ^′ (z − → z ^′ ) ∨ ((z 1 − → z) ∧ (z 1 − → y ℓ ) ∧ (y ℓ − → y ℓ ))

The formula considers an arbitrary marking M . If M is no deadlock, nothing is required by ϕ. If M is a deadlock, then ϕ asks for vertices M ₁ and M so that M ₁ is a common direct ancestor of M and M and moreover M has a 1-loop.

By construction of N , formula ϕ is satisfied if and only if every deadlock marking

M reachable in N (in particular, a simulation of N ₂ ) can be reached in N ₁ . This means

Reach(N ₂ ) ⊆ Reach(N ₁ ).

Open problem 1. Decidability status of MC ^URG (FO ⁺ ( − →)). ^∗ A forward formula is a formula in which every occurrence x − → y is in the scope of a quantifier sequence of the form Q ₁ x . . . Q ₂ y where x is bound before y. Let FO f ( P ) denote the set of forward formulae over predicates in P .

Proposition 3.9. MC ^URG (FO f (− →)) is undecidable.

Proof. We again reduce the equality problem for reachability sets of two Petri nets N ₁ and N ₂ . Let N be the net presented in Figure 3.1. We propose a forward formula ϕ so that Reach(N 2 ) = Reach(N 1 ) if and only if PURG(N ) | = ϕ:

ϕ

= ∀z ₂ ∃z ₁ ∀z ∃ y ℓ ∃z ^′ (z ₂ − → z) ⇒ ((z − → z ^′ ) ∨ ψ(z ₁ , z ₂ , z, y ℓ )) ψ(z ₁ , z ₂ , z, y _ℓ )

= (z ₁ − → z) ∧ (y _ℓ − → y _ℓ ) ∧ ((z ₁ − → y _ℓ ) ⇔ ¬(z ₂ − → y _ℓ ))

Forward formulae make it harder to quantify over deadlock markings M. Before presenting how formula ϕ enables the reduction, a short comment on quantification: this formula intends to quantify over z, but the forward constraint imposes first to quantify over z ₂ , then on z 1 , and only afterwards on z. This is not a problem since, once z 2 is fixed, variable z 1 may be fixed, and then z may be chosen. The idea of ϕ is to capture the situation in Figure 3.1, potentially with the roles of M ₁ and M ₂ swapped. In detail, the formula considers an arbitrary marking M ₂ , a corresponding marking M ₁ (if it exists), and an arbitrary marking M . If M ₂ and M are not connected, then ϕ requires nothing. If M ₂ and M are connected and M is no deadlock, there are also no requirements. Otherwise M ₂ and M are connected and M is a deadlock. In this case, there must be a marking M (valuation for y _ℓ ) so that formula ψ is true for (M 1 , M ₂ , M, M ). The formula ψ checks that deadlock M is reachable in both N ₁ and N ₂ , see Figure 3.1. Thus, Reach(N 1 ) = Reach(N 2 ) iff PURG(N ) | = ϕ. This proves the claimed undecidability.

Open problem 2. Decidability status of MC ^URG (FO _f ( − →)). ^∗ While forward formulae can well identify the deadlock markings used in the proof schema, the difficulty is in the description of the local environment witnessing the simulation results.

3.3. Taming undecidability with fragments. In this section, we present the restrictions of FO(− →) that we found to have decidable model checking or validity problems.

3.3.1. Existential fragment. Our undecidability results follow a common principle, namely identifying a local pattern in the reachability graph that characterizes an undecidable property. The pattern may depend on the specification language. Below, we state a re- sult that, at first glance, might seem to contradict the previous findings: decidability of MC ^URG (FO(− →)) restricted to the existential fragment. This decidability, however, simply implies that universal quantification is needed to characterize undecidable properties by local patterns. We write ∃FO for the fragment of FO consisting of those formulae that use only existential quantification when written in prenex normal form.

Proposition 3.10. MC ^URG (∃FO(− →, =)) is decidable.

Proof. Let N = (P, T, F, M 0 ) be a Petri net with reachability set Reach(N ) and |P | = n.

Decidability follows from two crucial properties:

(1) Given a Presburger formula ϕ(~ x ₁ , . . . ,~ x _α ) with n × α free variables such that each ~ x _i is a sequence of n distinct variables interpreted as a marking of N , one can decide whether ϕ(M ₁ , . . . , M α ) holds true for some (not necessarily distinct) markings M ₁ , . . . , M α in Reach(N ). Proposition 2.3 corresponds to the case α = 1.

(2) One can effectively construct a quantifier-free Presburger formula ϕ − → ( ~ x ₁ ,~ x ₂ ) so that for all markings M ₁ , M ₂ , formula ϕ − → (M ₁ , M ₂ ) holds iff M ₁ [tiM ₂ for some t ∈ T . Before we turn to the proofs of (1) and (2), we explain how these results yield decidability of MC ^URG (∃FO(− →, =)). Consider ψ = ∃ x ₁ , . . . , x α ψ ^′ where ψ ^′ is a quantifier-free formula with atomic propositions of the form x i − → x j and x i = x j . With (2), one constructs a quantifier-free Presburger formula ϕ(~ x 1 , . . . ,~ x α ) so that for all markings M ₁ , . . . , M _α in Reach(N ), formula ϕ(M ₁ , . . . , M α ) holds true iff PURG(N ), v | = ψ ^′ where v(~ x i ) = M i

for 1 ≤ i ≤ α. By (1), it is decidable whether ϕ(M ₁ , . . . , M _α ) holds for some markings M ₁ , . . . , M α ∈ Reach(N ). This is equivalent to URG(N ) | = ψ.

It remains to prove (1) and (2). The formula ϕ − → (~ x ₁ , ~ x ₂ ) for statement (2) encodes the definition of enabledness and firing for transitions, M [tiM ^′ :

_

t∈T

( ^

p∈P

~ x ₁ (p) ≥ F (p, t)) ∧ ( ^

p∈P

~ x ₂ (p) = ~ x ₁ (p) − F (p, t) + F (t, p)).

For statement (1), we adapt the proof of Proposition 2.3. We construct a Petri net N ^′ that simulates α copies of N . Technically, N ^′ is defined as the disjoint union of α instances of N . The initial marking of N ^′ is α times M ₀ . For all markings M ₁ , . . . , M _α we now have the following equivalence: the markings are reachable in N and satisfy ϕ(M ₁ , . . . , M _α ) iff (M ₁ , . . . , M _α ) is a possible simulation result in N ^′ and ϕ(M ₁ , . . . , M _α ) holds. An application of Proposition 2.3 on N ^′ and ϕ yields the desired decidability result.

Again, decidability is preserved with Presburger-definable properties on markings and with labelled transition relations of the form − →. ^t

Corollary 3.11. MC ^URG (FO(− →, =)) restricted to Boolean combinations of existential for- mulae is decidable.

Consequently, the following subgraph isomorphism problem is decidable too:

input: a finite directed graph G = (V, E) and a Petri net N . question: is there a subgraph of (Reach(N ), − →) isomorphic to G?

Open problem 3. Decidability status of MC ^URG (∃FO( − →)) and MC ^{∗ URG} (∃FO( − →, ^∗ − →)).

3.3.2. ML( ) with arithmetical constraints. Section 3.2.2 proves that VAL ^URG (ML( , ⁻¹ )) is undecidable. To our surprise, and in contrast to the negative result on model checking the forward fragment of FO, this undecidability depends on the backward modality. The following Proposition 3.12 shows decidability of the validity problem for ML(), even in the presence of arithmetical constraints at the atomic level.

Proposition 3.12. The validity problem VAL ^URG (PAML()) is decidable.

Proof. Let N be a Petri net, and ϕ a formula in PAML(). According to Lemma 3.13 stated hereafter, the set of markings satisfying ¬ϕ is effectively semilinear. Let X _¬ϕ be this set. Proving validity of ϕ amounts to checking that no element of X _¬ϕ is reachable in N.

This is decidable from Proposition 2.3.

Lemma 3.13. Given a Petri net N with n places and a formula ϕ in PAML(), the set of markings in N ⁿ satisfying ϕ in UG(N ) is effectively semilinear.

Proof. We proceed by induction on the structure of ϕ, using the fact that semilinear sets are (effectively) closed under Boolean operations and the fact that, if X is semilinear, then pre(X) = {M ∈ N ⁿ : ∃ M ^′ ∈ X, M − → M ^′ } is effectively semilinear too. The latter set pre(X) contains all markings with a successor marking in X.

Each atomic formula is a quantifier-free Presburger formula, and as such, defines a semilinear set. Throughout the induction on the structure of ϕ, formulae with outermost Boolean connectives are treated in the obvious way by applying Boolean operations on semilinear sets. Eventually one has to prove that ψ defines a semilinear set whenever ψ does. Using the induction hypothesis, let X _ψ be the semilinear set of markings satisfying ψ. The set satisfying ψ is then equal to N ⁿ \ pre( N ⁿ \ X _ψ ), which is effectively semilinear.

This concludes the induction, and the proof.

This decidability result can be extended by allowing labels on edges (transitions).

3.4. On the hardness of decidable problems. Some of our decision procedures call subroutines for checking reachability in Petri nets, even though the reachability problem is not known to be primitive recursive. We provide here some complexity-theoretic justifica- tion for these costly invocations: we reduce the reachability problem for Petri nets to the decidable problems MC ^URG (ML(, ⁻¹ )) and MC ^URG (∃FO(− →)). Besides reachability, we proposed decision procedures that exploit the effective semilinearity of reachability sets or relations (see e.g. Proposition 2.7). The next proposition shows that, already for bounded Petri nets, MC ^URG (FO(− →)) is of high complexity.

Proposition 3.14. MC ^URG (FO(− →)) restricted to bounded Petri nets is decidable but this problem has nonprimitive recursive complexity.

Proof. We perform a reduction from the finite containment problem for Petri nets, known to have nonprimitive recursive complexity [36]. Let N ₁ and N ₂ be two bounded Petri nets with identical sets of places, and construct N as in Section 3.1. This net is bounded. The formula ϕ in FO(− →) that checks inclusion is derived from the formula in Section 3.1:

∀z (¬∃z ^′ z → z ^′ ) ⇒ (∃z ₂ z ₂ → z ∧ ¬ϕ ^l (z ₂ ))

where ϕ l (x)

= ∃y (x − → y ∧ y − → y). The construction guarantees Reach(N ₁ ) ⊆ Reach(N ₂ ) iff URG(N ) | = ϕ. Indeed, a deadlock is either reachable from N ₂ or from N ₁ . But to satisfy the formula, if the deadlock is reachable from N ₁ it also has to be reachable from N ₂ . Note that the formula ϕ is again independent of N ₁ and N ₂ .

We have seen that VAL ^URG (ML() is decidable by reduction to the reachability prob- lem for Petri nets (see Proposition 3.12). Below, we state that there is a reduction in the reverse direction, from non-reachability to VAL ^URG (ML().

Proposition 3.15. There is a logarithmic-space reduction from the non-reachability prob- lem for Petri nets to VAL ^URG (ML( )).

Proof. Without any loss of generality, we can assume that the non-reachability problem

is restricted to the target marking ~ 0 (no place has any token). Consider the Petri net

N = (P, T, F, M ₀ ) where we assume w.l.o.g. that every transition has a place in its preset.